WHOIS ready for the GDPR?: Issues clouding the access to the data of domain registrants

May 25, 2018


The General Data Protection Regulation[1] (hereinafter referred as ‘GDPR’) adopted by the European Union (hereinafter referred as ‘EU’) which will be effective from May 25, 2018 aims at the protection of EU residents from privacy breaches and data thefts. In order to ensure the same, the GDPR will make access to personal information of the EU residents very limited in nature by making the stipulation of obtaining consent from the data subject as a necessary precondition. Such consent also needs to be free, explicit, informed and unambiguous in nature. This regulation has raised concerns and issues regarding the accessibility of WHOIS data.

What is WHOIS database and what is the major concern?

WHOIS database service is an online tool that provides access to search relevant information on domain registration and availability. Availability of information benefits the public at large however, this data also contains personal information (as per the GDPR) of domain name registrants and therefore, such database/ information will not remain public data at all once the GDPR is effective. Thus, the GDPR poses threat to the existence of the valuable WHOIS service.

How WHOIS helps protect IP rights?

WHOIS helps in the protection and enforcement of IP rights in the following ways:

  1. Effective Communication: WHOIS service helps in the communication with the domain name registrant for the purpose of informing about the infringement activities taking place against the registered domain.
  2. Avoidance of unnecessary litigation: WHOIS helps in the sending of Cease and Desist notices which provide an opportunity to the infringer to stop the infringing activities without being involved in litigation battles.
  3.  Investigation of IP infringement: WHOIS service aids the investigation of those websites which are named specifically for the purpose of being passed off as other domains.
  4.  Investigation of Cyber squatting: WHOIS service also helps in the investigation of malicious cyber activities like registration of domains by the name of well-known brands ahead of the trademark owners so that such domains can be later sold at high profits.

Without access to WHOIS directories and services, the above-mentioned benefits to the domain name registrant may become inaccessible thereby, causing the infringers to hide behind the GDPR.

What is ICANN?

The Internet Corporation for Assigned Names and Numbers (hereinafter referred as ‘ICANN’) is an organisation that helps in the coordination of the functions of Internet Assigned Numbers Authority (hereinafter referred as ‘IANA’). These functions are key technical services critical to the continued operations of the Domain Name System.[2] A domain is something that has to be typed into the address bar of web browser (can be numeric, alphanumeric or both) to access a particular website. This makes Domain Name System the internet’s address book.

What does ICANN have to say about the GDPR compliance?

ICANN had released the working draft[3] of its proposed Temporary Specification for Generic Top-Level Domain (gTLD) (hereinafter referred as ‘specifications’) Registration Data on May 14, 2018 and has instructed the companies contracted to it that in order to become compliant with the GDPR, the contents of this draft need to be implemented. Unfortunately for such data controllers who operate the WHOIS system, the effective date of GDPR i.e. May 25, 2018 is not so far away and thus, compliance with the specification is difficult.

The specifications propose an interim model which is aimed at establishing a mechanism in order to get in touch with domain name registrants without exposing their identity. The draft document provides that the data which will no more be publicly available will include the registrant’s name, registrant’s email as well as the registrant’s address. However, the country of the registration will be public information. Further, in order to gain access to the information not publicly available will depend upon each registrar and registry some which may also insist to obtain a court order while some may refuse to provide access until accreditation mechanism is developed. In terms of contact information, an email address or web form mechanism would have to be provided to allow contact with the registrant, although it notes that the email address and/or web form URL should not contain, or be derived from, the email address of the specific contact.[4]

This temporary specification limits the ability of rights holders regarding enforcement of rights online and is expected to cause hindrances in infringement cases and court proceedings. Further as per the temporary specification, the restrictions on WHOIS data will apply beyond the EU.

Jeff Neuman, Senior Vice-President of Com Laude USA, reported on Twitter on May May 14, 2018 that the ICANN Board still expecting Temporary Specification dealing with WHOIS and GDPR to start on May 25 for a period of 90 days (renewable for 3 additional 90-day periods).

As per the publication on ICANN’s website titled “ICANN Receives Data Protection/Privacy Guidance from Article 29 Working Party”, ICANN had argued that unless there is a moratorium, WHOIS service cannot be maintained and without resolution of these issues, the WHOIS system will become fragmented. Fragmented WHOIS would no longer employ a common framework for generic top-level domain (gTLD) registration directory services.[5]

However, the ICANN’s twitter account posed on May 18, 2018 that the ICANN Board has voted to adopt the Temporary Spcification for gTLD Registration Data.

As per reports, site registers will still collect the registration data they’ve always collected. This includes Registrant, Administrative, and Technical contact information. But, most personal data will not be available publicly. If someone does need the data — say you forgot to renew your domain name and someone else grabbed it — you can get access to their contract data through your domain registrars. This may be via an anonymized email or web form. [6]

Looking ahead:

It is important to mention that on implementation of the GDPR access to WHOIS services and databases will have to cease to exist as public services as such data will no longer remain public information.

David J. Redl, Assistant Secretary for Communications and Information National Security Telecommunications Advisory Committee (NSTAC) Meeting held on May 17, 2018 stated that “Absent a broader interpretation of Article 49, a short-term moratorium on GDPR enforcement with regard to WHOIS may be necessary. If not, then come May 25, we anticipate registries and registrars will stop providing access to WHOIS directories and services. The loss of access to WHOIS information will negatively affect law enforcement of cybercrimes, cybersecurity, and intellectual property rights protection activities globally.[7]

Possible course of actions which the IP holders can do in order to gain access to WHOIS system can be stated as follows:

  1. Filling of John Doe suits/ subpoenas
  2. Sending Cease and Desist letters to the concerned registrar so that it may be forwarded to the registrant.
  3. Identification of hosting provider by the help of IP addresses and sending takedown request to such hosting provider.
  4. Lobbying against the concerned authorities.


[1] Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG.
[2]Refer: https://www.icann.org/resources/pages/welcome-2012-02-25-en.
[3]Available at:https://www.icann.org/en/system/files/files/proposed-gtld-registration-data-temp-specs-14may18-en.pdf.

For more information please contact us at : info@ssrana.com